diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index 4eca55906..ec9bebde2 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -228,6 +228,7 @@ set (TARGET_SOURCES ${PM3_ROOT}/client/src/mifare/mifaredefault.c ${PM3_ROOT}/client/src/mifare/mifarehost.c ${PM3_ROOT}/client/src/nfc/ndef.c + ${PM3_ROOT}/client/src/mifare/lrpcrypto.c ${PM3_ROOT}/client/src/mifare/desfirecrypto.c ${PM3_ROOT}/client/src/mifare/desfiresecurechan.c ${PM3_ROOT}/client/src/mifare/desfirecore.c diff --git a/client/Makefile b/client/Makefile index ef9913149..33b624388 100644 --- a/client/Makefile +++ b/client/Makefile @@ -588,6 +588,7 @@ SRCS = mifare/aiddesfire.c \ loclass/cipherutils.c \ loclass/elite_crack.c \ loclass/ikeys.c \ + mifare/lrpcrypto.c \ mifare/desfirecrypto.c \ mifare/desfirecore.c \ mifare/desfiresecurechan.c \ diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index c55886f91..e04d27774 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4970,7 +4970,7 @@ static int CmdHF14ADesWriteData(const char *Cmd) { DesfireGenTransSessionKey(trkey, transactionCounter, uid, false, sessionkey); aes_decode(NULL, sessionkey, resp, resp, CRYPTO_AES_BLOCK_SIZE); - PrintAndLogEx(INFO, "Prev reader id [%d]: %s", resplen, sprint_hex(resp, resplen)); + PrintAndLogEx(INFO, "Prev reader id [%zu]: %s", resplen, sprint_hex(resp, resplen)); } readeridpushed = true; diff --git a/client/src/crypto/libpcrypto.h b/client/src/crypto/libpcrypto.h index c589f61f6..89f13f486 100644 --- a/client/src/crypto/libpcrypto.h +++ b/client/src/crypto/libpcrypto.h @@ -16,6 +16,9 @@ #include #include +#define CRYPTO_AES_BLOCK_SIZE 16 +#define CRYPTO_AES128_KEY_SIZE 16 + void des_encrypt(void *out, const void *in, const void *key); void des_decrypt(void *out, const void *in, const void *key); void des_encrypt_ecb(void *out, const void *in, const int length, const void *key); diff --git a/client/src/mifare/desfirecrypto.h b/client/src/mifare/desfirecrypto.h index df5d22d71..a5de60a87 100644 --- a/client/src/mifare/desfirecrypto.h +++ b/client/src/mifare/desfirecrypto.h @@ -24,7 +24,6 @@ #include "common.h" #include "crypto/libpcrypto.h" -#define CRYPTO_AES_BLOCK_SIZE 16 #define MAX_CRYPTO_BLOCK_SIZE 16 #define DESFIRE_MAX_CRYPTO_BLOCK_SIZE 16 #define DESFIRE_MAX_KEY_SIZE 24 diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 174d8bd71..1e91d5586 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -6,6 +6,9 @@ // the license. //----------------------------------------------------------------------------- // tests for desfire +// +// tests for LRP here: Leakage Resilient Primitive (LRP) Specification, https://www.nxp.com/docs/en/application-note/AN12304.pdf +// //----------------------------------------------------------------------------- #include "desfiretest.h" @@ -16,6 +19,7 @@ #include "crypto/libpcrypto.h" #include "mifare/desfirecrypto.h" +#include "mifare/lrpcrypto.h" static uint8_t CMACData[] = {0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, @@ -474,6 +478,377 @@ static bool TestTransSessionKeys(void) { return res; } +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// page 10 +static bool TestLRPPlaintexts(void) { + bool res = true; + + uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0}; + LRPContext ctx = {0}; + LRPSetKey(&ctx, key, 0, false); + + uint8_t pt0[] = {0xAC, 0x20, 0xD3, 0x9F, 0x53, 0x41, 0xFE, 0x98, 0xDF, 0xCA, 0x21, 0xDA, 0x86, 0xBA, 0x79, 0x14}; + res = res && (memcmp(ctx.plaintexts[0], pt0, sizeof(pt0)) == 0); + + uint8_t pt1[] = {0x90, 0x7D, 0xA0, 0x3D, 0x67, 0x24, 0x49, 0x16, 0x69, 0x15, 0xE4, 0x56, 0x3E, 0x08, 0x9D, 0x6D}; + res = res && (memcmp(ctx.plaintexts[1], pt1, sizeof(pt1)) == 0); + + uint8_t pt14[] = {0x37, 0xD7, 0x34, 0xA5, 0x1C, 0x07, 0x6E, 0xB8, 0x03, 0xBD, 0x53, 0x0E, 0x17, 0xEB, 0x87, 0xDC}; + res = res && (memcmp(ctx.plaintexts[14], pt14, sizeof(pt14)) == 0); + + uint8_t pt15[] = {0x71, 0xB4, 0x44, 0xAF, 0x25, 0x7A, 0x93, 0x21, 0x53, 0x11, 0xD7, 0x58, 0xDD, 0x33, 0x32, 0x47}; + res = res && (memcmp(ctx.plaintexts[15], pt15, sizeof(pt15)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP plaintexts.... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP plaintexts.... " _RED_("fail")); + + return res; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// page 12 +static bool TestLRPUpdatedKeys(void) { + bool res = true; + + uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0}; + LRPContext ctx = {0}; + LRPSetKey(&ctx, key, 0, false); + + uint8_t key0[] = {0x16, 0x3D, 0x14, 0xED, 0x24, 0xED, 0x93, 0x53, 0x73, 0x56, 0x8E, 0xC5, 0x21, 0xE9, 0x6C, 0xF4}; + res = res && (memcmp(ctx.updatedKeys[0], key0, sizeof(key0)) == 0); + + uint8_t key1[] = {0x1C, 0x51, 0x9C, 0x00, 0x02, 0x08, 0xB9, 0x5A, 0x39, 0xA6, 0x5D, 0xB0, 0x58, 0x32, 0x71, 0x88}; + res = res && (memcmp(ctx.updatedKeys[1], key1, sizeof(key1)) == 0); + + uint8_t key2[] = {0xFE, 0x30, 0xAB, 0x50, 0x46, 0x7E, 0x61, 0x78, 0x3B, 0xFE, 0x6B, 0x5E, 0x05, 0x60, 0x16, 0x0E}; + res = res && (memcmp(ctx.updatedKeys[2], key2, sizeof(key2)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP updated keys.. " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP updated keys.. " _RED_("fail")); + + return res; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// 3.2 LRP Eval, page 13 +static bool TestLRPEval(void) { + bool res = true; + + LRPContext ctx = {0}; + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + uint8_t key[] = {0x56, 0x78, 0x26, 0xB8, 0xDA, 0x8E, 0x76, 0x84, 0x32, 0xA9, 0x54, 0x8D, 0xBE, 0x4A, 0xA3, 0xA0}; + uint8_t iv[] = {0x13, 0x59}; + LRPSetKey(&ctx, key, 2, false); + LRPEvalLRP(&ctx, iv, sizeof(iv) * 2, true, y); + + uint8_t y1[] = {0x1B, 0xA2, 0xC0, 0xC5, 0x78, 0x99, 0x6B, 0xC4, 0x97, 0xDD, 0x18, 0x1C, 0x68, 0x85, 0xA9, 0xDD}; + res = res && (memcmp(y, y1, sizeof(y1)) == 0); + + uint8_t key2[] = {0xB6, 0x55, 0x57, 0xCE, 0x0E, 0x9B, 0x4C, 0x58, 0x86, 0xF2, 0x32, 0x20, 0x01, 0x13, 0x56, 0x2B}; + uint8_t iv2[] = {0xBB, 0x4F, 0xCF, 0x27, 0xC9, 0x40, 0x76, 0xF7, 0x56, 0xAB, 0x03, 0x0D}; + LRPSetKey(&ctx, key2, 1, false); + LRPEvalLRP(&ctx, iv2, sizeof(iv2) * 2, false, y); + + uint8_t y2[] = {0x6F, 0xDF, 0xA8, 0xD2, 0xA6, 0xAA, 0x84, 0x76, 0xBF, 0x94, 0xE7, 0x1F, 0x25, 0x63, 0x7F, 0x96}; + res = res && (memcmp(y, y2, sizeof(y2)) == 0); + + uint8_t key3[] = {0xC4, 0x8A, 0x8E, 0x8B, 0x16, 0x57, 0x16, 0x45, 0xA1, 0x55, 0x78, 0x25, 0xAA, 0x66, 0xAC, 0x91}; + uint8_t iv3[] = {0x1F, 0x0B, 0x7C, 0x0D, 0xB1, 0x28, 0x89, 0xCA, 0x43, 0x6C, 0xAB, 0xB7, 0x8B, 0xE4, 0x2F, 0x90}; + LRPSetKey(&ctx, key3, 3, false); + LRPEvalLRP(&ctx, iv3, sizeof(iv3) * 2 - 1, true, y); + + uint8_t y3[] = {0x51, 0x29, 0x6B, 0x5E, 0x6D, 0x3B, 0x8D, 0xB8, 0xA1, 0xA7, 0x39, 0x97, 0x60, 0xA1, 0x91, 0x89}; + res = res && (memcmp(y, y3, sizeof(y3)) == 0); + + uint8_t key4[] = {0x54, 0x9C, 0x67, 0xEC, 0xD6, 0x0E, 0x84, 0x8F, 0x77, 0x39, 0x90, 0x99, 0x0C, 0xAC, 0x68, 0x1E}; + uint8_t iv4[] = {0x47, 0x5B, 0xB4, 0x18, 0x78, 0xEB, 0x17, 0x46, 0x8F, 0x7A, 0x68, 0x84, 0x7D, 0xDD, 0x3B, 0xAC}; + LRPSetKey(&ctx, key4, 3, false); + LRPEvalLRP(&ctx, iv4, sizeof(iv4) * 2, true, y); + + uint8_t y4[] = {0xC3, 0xB5, 0xEE, 0x74, 0xA7, 0x22, 0xE7, 0x84, 0x88, 0x7C, 0x4C, 0x9F, 0xDB, 0x49, 0x78, 0x55}; + res = res && (memcmp(y, y4, sizeof(y4)) == 0); + + uint8_t key5[] = {0x80, 0x6A, 0x50, 0x53, 0x0D, 0x77, 0x35, 0xB4, 0x0A, 0xC4, 0xEF, 0x16, 0x38, 0xE8, 0xAD, 0x6A}; + uint8_t iv5[] = {0xD4, 0x13, 0x77, 0x64, 0x71, 0x6D, 0xBC, 0x8C, 0x57, 0x9B, 0xEA, 0xB7, 0xE7, 0x67, 0x54, 0xE0}; + LRPSetKey(&ctx, key5, 3, false); + LRPEvalLRP(&ctx, iv5, sizeof(iv5) * 2 - 1, false, y); + + uint8_t y5[] = {0xCF, 0x99, 0x13, 0x92, 0xF0, 0x36, 0x93, 0x50, 0xA7, 0xE2, 0x1B, 0xE5, 0x2F, 0x74, 0x88, 0x21}; + res = res && (memcmp(y, y5, sizeof(y5)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP eval.......... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP eval.......... " _RED_("fail")); + + return res; +} + +static bool TestLRPIncCounter(void) { + bool res = true; + + uint8_t ctr1[] = {0x00, 0x01}; + LRPIncCounter(ctr1, 4); + uint8_t ctrr1[] = {0x00, 0x02}; + res = res && (memcmp(ctr1, ctrr1, sizeof(ctrr1)) == 0); + + uint8_t ctr2[] = {0x00, 0xf0}; + LRPIncCounter(ctr2, 3); + uint8_t ctrr2[] = {0x01, 0x00}; + res = res && (memcmp(ctr2, ctrr2, sizeof(ctrr2)) == 0); + + uint8_t ctr3[] = {0xff, 0xf0}; + LRPIncCounter(ctr3, 3); + uint8_t ctrr3[] = {0x00, 0x00}; + res = res && (memcmp(ctr3, ctrr3, sizeof(ctrr3)) == 0); + + uint8_t ctr4[] = {0xf0}; + LRPIncCounter(ctr4, 1); + uint8_t ctrr4[] = {0x00}; + res = res && (memcmp(ctr4, ctrr4, sizeof(ctrr4)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP inc counter... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP inc counter... " _RED_("fail")); + + return res; +} + +static bool TestLRPEncode(void) { + bool res = true; + + uint8_t resp[100] = {0}; + size_t resplen = 0; + + LRPContext ctx = {0}; + + uint8_t key1[] = {0xE0, 0xC4, 0x93, 0x5F, 0xF0, 0xC2, 0x54, 0xCD, 0x2C, 0xEF, 0x8F, 0xDD, 0xC3, 0x24, 0x60, 0xCF}; + uint8_t iv1[] = {0xC3, 0x31, 0x5D, 0xBF}; + LRPSetKeyEx(&ctx, key1, iv1, sizeof(iv1) * 2, 0, true); + uint8_t data1[] = {0x01, 0x2D, 0x7F, 0x16, 0x53, 0xCA, 0xF6, 0x50, 0x3C, 0x6A, 0xB0, 0xC1, 0x01, 0x0E, 0x8C, 0xB0}; + LRPEncode(&ctx, data1, sizeof (data1), resp, &resplen); + uint8_t res1[] = {0xFC, 0xBB, 0xAC, 0xAA, 0x4F, 0x29, 0x18, 0x24, 0x64, 0xF9, 0x9D, 0xE4, 0x10, 0x85, 0x26, 0x6F, + 0x48, 0x0E, 0x86, 0x3E, 0x48, 0x7B, 0xAA, 0xF6, 0x87, 0xB4, 0x3E, 0xD1, 0xEC, 0xE0, 0xD6, 0x23}; + res = res && (resplen == sizeof(res1)); + res = res && (memcmp(resp, res1, sizeof(res1)) == 0); + + uint8_t key2[] = {0xEF, 0xA5, 0xB7, 0x42, 0x9C, 0xD1, 0x53, 0xBF, 0x00, 0x86, 0xDE, 0xF9, 0x00, 0xC0, 0xF2, 0x35}; + uint8_t iv2[] = {0x90, 0x36, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key2, iv2, sizeof(iv2) * 2, 0, false); + uint8_t data2[] = {0xE7, 0xF6, 0x1E, 0x01, 0x2F, 0x4F, 0x32, 0x55, 0x31, 0x2B, 0xA6, 0x8B, 0x1D, 0x2F, 0xDA, 0xBF}; + LRPEncode(&ctx, data2, sizeof (data2), resp, &resplen); + uint8_t res2[] = {0xEA, 0x6E, 0x09, 0xAC, 0x2F, 0xB9, 0x7E, 0x10, 0x2D, 0x8C, 0xA6, 0x4C, 0x1C, 0xBC, 0x0C, 0x0C}; + res = res && (resplen == sizeof(res2)); + res = res && (memcmp(resp, res2, sizeof(res2)) == 0); + + uint8_t key3[] = {0x9D, 0x81, 0x31, 0x34, 0xCF, 0xDE, 0xE9, 0xD5, 0x87, 0x55, 0xDE, 0xAC, 0xD4, 0xAF, 0x72, 0xA7}; + uint8_t iv3[] = {0xFF, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key3, iv3, sizeof(iv3) * 2, 0, true); + uint8_t data3[] = {0x27}; + LRPEncode(&ctx, data3, sizeof (data3), resp, &resplen); + uint8_t res3[] = {0xF5, 0x83, 0x3F, 0xC3, 0x97, 0x35, 0x6E, 0xA3, 0xD9, 0xEC, 0xAD, 0xBB, 0x9F, 0x6F, 0xE4, 0x40}; + res = res && (resplen == sizeof(res3)); + res = res && (memcmp(resp, res3, sizeof(res3)) == 0); + + uint8_t key4[] = {0xF5, 0xC3, 0xE9, 0x9F, 0xB7, 0x5E, 0x31, 0x6B, 0x76, 0x68, 0x9F, 0xC5, 0x46, 0x42, 0x60, 0xCD}; + uint8_t iv4[] = {0x07, 0x97, 0xF6, 0xB7}; + LRPSetKeyEx(&ctx, key4, iv4, sizeof(iv4) * 2, 0, true); + LRPEncode(&ctx, NULL, 0, resp, &resplen); + uint8_t res4[] = {0x93, 0xDC, 0x3E, 0xE1, 0x4B, 0x61, 0x2B, 0xE6, 0xA3, 0xE9, 0xE2, 0xE8, 0x04, 0x0C, 0xDF, 0xCB}; + res = res && (resplen == sizeof(res4)); + res = res && (memcmp(resp, res4, sizeof(res4)) == 0); + + uint8_t key5[] = {0x9B, 0x1E, 0x41, 0x8D, 0xF9, 0x75, 0x2F, 0x37, 0xEB, 0xBD, 0x8E, 0xE8, 0x33, 0xBD, 0xF2, 0xD7}; + uint8_t iv5[] = {0x24, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key5, iv5, sizeof(iv5) * 2, 0, true); + uint8_t data5[] = {0x55, 0x53, 0x4E, 0x15, 0x9F, 0x14, 0xDD, 0x77, 0x31, 0x36, 0x89, 0x88, 0xEE, 0x6D, 0xD7, 0xC6, + 0x11, 0x4E, 0x74, 0x7F, 0x9C, 0x17, 0xA9, 0x1B, 0xBC, 0x12, 0xD6, 0x8C, 0x26, 0x53, 0x1F, 0x2F, + 0xFC, 0xFC}; + LRPEncode(&ctx, data5, sizeof (data5), resp, &resplen); + uint8_t res5[] = {0x15, 0x8B, 0x3B, 0x9C, 0x61, 0x36, 0xFB, 0x71, 0x5C, 0xCF, 0x43, 0x5C, 0xA4, 0xCA, 0xDE, 0x80, + 0x8D, 0x1F, 0x98, 0x43, 0x13, 0x27, 0x06, 0x1A, 0x9A, 0x64, 0xD5, 0x2A, 0x5F, 0xE7, 0xB2, 0x74, + 0x6D, 0x7F, 0x5A, 0x63, 0x3F, 0xC0, 0xCF, 0xE7, 0x85, 0x56, 0x56, 0xAD, 0x3C, 0x6B, 0x94, 0xCF}; + res = res && (resplen == sizeof(res5)); + res = res && (memcmp(resp, res5, sizeof(res5)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP encode........ " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP encode........ " _RED_("fail")); + + return res; +} + +static bool TestLRPDecode(void) { + bool res = true; + + uint8_t resp[100] = {0}; + size_t resplen = 0; + + LRPContext ctx = {0}; + + uint8_t key1[] = {0xE0, 0xC4, 0x93, 0x5F, 0xF0, 0xC2, 0x54, 0xCD, 0x2C, 0xEF, 0x8F, 0xDD, 0xC3, 0x24, 0x60, 0xCF}; + uint8_t iv1[] = {0xC3, 0x31, 0x5D, 0xBF}; + LRPSetKeyEx(&ctx, key1, iv1, sizeof(iv1) * 2, 0, true); + uint8_t data1[] = {0xFC, 0xBB, 0xAC, 0xAA, 0x4F, 0x29, 0x18, 0x24, 0x64, 0xF9, 0x9D, 0xE4, 0x10, 0x85, 0x26, 0x6F, + 0x48, 0x0E, 0x86, 0x3E, 0x48, 0x7B, 0xAA, 0xF6, 0x87, 0xB4, 0x3E, 0xD1, 0xEC, 0xE0, 0xD6, 0x23}; + LRPDecode(&ctx, data1, sizeof (data1), resp, &resplen); + uint8_t res1[] = {0x01, 0x2D, 0x7F, 0x16, 0x53, 0xCA, 0xF6, 0x50, 0x3C, 0x6A, 0xB0, 0xC1, 0x01, 0x0E, 0x8C, 0xB0}; + res = res && (resplen == sizeof(res1)); + res = res && (memcmp(resp, res1, sizeof(res1)) == 0); + + uint8_t key2[] = {0xEF, 0xA5, 0xB7, 0x42, 0x9C, 0xD1, 0x53, 0xBF, 0x00, 0x86, 0xDE, 0xF9, 0x00, 0xC0, 0xF2, 0x35}; + uint8_t iv2[] = {0x90, 0x36, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key2, iv2, sizeof(iv2) * 2, 0, false); + uint8_t data2[] = {0xEA, 0x6E, 0x09, 0xAC, 0x2F, 0xB9, 0x7E, 0x10, 0x2D, 0x8C, 0xA6, 0x4C, 0x1C, 0xBC, 0x0C, 0x0C}; + LRPDecode(&ctx, data2, sizeof (data2), resp, &resplen); + uint8_t res2[] = {0xE7, 0xF6, 0x1E, 0x01, 0x2F, 0x4F, 0x32, 0x55, 0x31, 0x2B, 0xA6, 0x8B, 0x1D, 0x2F, 0xDA, 0xBF}; + res = res && (resplen == sizeof(res2)); + res = res && (memcmp(resp, res2, sizeof(res2)) == 0); + + uint8_t key3[] = {0x9D, 0x81, 0x31, 0x34, 0xCF, 0xDE, 0xE9, 0xD5, 0x87, 0x55, 0xDE, 0xAC, 0xD4, 0xAF, 0x72, 0xA7}; + uint8_t iv3[] = {0xFF, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key3, iv3, sizeof(iv3) * 2, 0, true); + uint8_t data3[] = {0xF5, 0x83, 0x3F, 0xC3, 0x97, 0x35, 0x6E, 0xA3, 0xD9, 0xEC, 0xAD, 0xBB, 0x9F, 0x6F, 0xE4, 0x40}; + LRPDecode(&ctx, data3, sizeof (data3), resp, &resplen); + uint8_t res3[] = {0x27}; + res = res && (resplen == sizeof(res3)); + res = res && (memcmp(resp, res3, sizeof(res3)) == 0); + + uint8_t key4[] = {0xF5, 0xC3, 0xE9, 0x9F, 0xB7, 0x5E, 0x31, 0x6B, 0x76, 0x68, 0x9F, 0xC5, 0x46, 0x42, 0x60, 0xCD}; + uint8_t iv4[] = {0x07, 0x97, 0xF6, 0xB7}; + LRPSetKeyEx(&ctx, key4, iv4, sizeof(iv4) * 2, 0, true); + uint8_t data4[] = {0x93, 0xDC, 0x3E, 0xE1, 0x4B, 0x61, 0x2B, 0xE6, 0xA3, 0xE9, 0xE2, 0xE8, 0x04, 0x0C, 0xDF, 0xCB}; + LRPDecode(&ctx, data4, sizeof(data4), resp, &resplen); + res = res && (resplen == 0); + + uint8_t key5[] = {0x9B, 0x1E, 0x41, 0x8D, 0xF9, 0x75, 0x2F, 0x37, 0xEB, 0xBD, 0x8E, 0xE8, 0x33, 0xBD, 0xF2, 0xD7}; + uint8_t iv5[] = {0x24, 0xFF, 0xFF, 0xFF}; + LRPSetKeyEx(&ctx, key5, iv5, sizeof(iv5) * 2, 0, true); + uint8_t data5[] = {0x15, 0x8B, 0x3B, 0x9C, 0x61, 0x36, 0xFB, 0x71, 0x5C, 0xCF, 0x43, 0x5C, 0xA4, 0xCA, 0xDE, 0x80, + 0x8D, 0x1F, 0x98, 0x43, 0x13, 0x27, 0x06, 0x1A, 0x9A, 0x64, 0xD5, 0x2A, 0x5F, 0xE7, 0xB2, 0x74, + 0x6D, 0x7F, 0x5A, 0x63, 0x3F, 0xC0, 0xCF, 0xE7, 0x85, 0x56, 0x56, 0xAD, 0x3C, 0x6B, 0x94, 0xCF}; + LRPDecode(&ctx, data5, sizeof (data5), resp, &resplen); + uint8_t res5[] = {0x55, 0x53, 0x4E, 0x15, 0x9F, 0x14, 0xDD, 0x77, 0x31, 0x36, 0x89, 0x88, 0xEE, 0x6D, 0xD7, 0xC6, + 0x11, 0x4E, 0x74, 0x7F, 0x9C, 0x17, 0xA9, 0x1B, 0xBC, 0x12, 0xD6, 0x8C, 0x26, 0x53, 0x1F, 0x2F, + 0xFC, 0xFC}; + res = res && (resplen == sizeof(res5)); + res = res && (memcmp(resp, res5, sizeof(res5)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP decode........ " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP decode........ " _RED_("fail")); + + return res; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// 3.4 LRP CMAC +static bool TestLRPSubkeys(void) { + bool res = true; + + uint8_t sk1[CRYPTO_AES128_KEY_SIZE] = {0}; + uint8_t sk2[CRYPTO_AES128_KEY_SIZE] = {0}; + + uint8_t key1[] = {0x81, 0x95, 0x08, 0x8C, 0xE6, 0xC3, 0x93, 0x70, 0x8E, 0xBB, 0xE6, 0xC7, 0x91, 0x4E, 0xCB, 0x0B}; + uint8_t sk1r1[] = {0x16, 0x91, 0x2B, 0x8D, 0x19, 0xD9, 0x4B, 0x2D, 0x4D, 0xA4, 0xFF, 0xA1, 0xCA, 0xD2, 0x18, 0x23}; + uint8_t sk2r1[] = {0x2D, 0x22, 0x57, 0x1A, 0x33, 0xB2, 0x96, 0x5A, 0x9B, 0x49, 0xFF, 0x43, 0x95, 0xA4, 0x30, 0x46}; + + LRPGenSubkeys(key1, sk1, sk2); + res = res && (memcmp(sk1, sk1r1, sizeof(sk1r1)) == 0); + res = res && (memcmp(sk2, sk2r1, sizeof(sk2r1)) == 0); + + uint8_t key2[] = {0x11, 0xED, 0x02, 0x02, 0x25, 0x70, 0xCB, 0x10, 0x50, 0x2B, 0xC1, 0xDA, 0xCF, 0x64, 0xB2, 0x1F}; + uint8_t sk1r2[] = {0x5B, 0x5D, 0x85, 0x36, 0x61, 0xE5, 0x1B, 0xC9, 0x13, 0x77, 0xED, 0xCE, 0xB6, 0x22, 0xBF, 0x6E}; + uint8_t sk2r2[] = {0xB6, 0xBB, 0x0A, 0x6C, 0xC3, 0xCA, 0x37, 0x92, 0x26, 0xEF, 0xDB, 0x9D, 0x6C, 0x45, 0x7E, 0xDC}; + + LRPGenSubkeys(key2, sk1, sk2); + res = res && (memcmp(sk1, sk1r2, sizeof(sk1r2)) == 0); + res = res && (memcmp(sk2, sk2r2, sizeof(sk2r2)) == 0); + + uint8_t key3[] = {0x5A, 0xA9, 0xF6, 0xC6, 0xDE, 0x51, 0x38, 0x11, 0x3D, 0xF5, 0xD6, 0xB6, 0xC7, 0x7D, 0x5D, 0x52}; + uint8_t sk1r3[] = {0x2A, 0xE0, 0xEB, 0xD3, 0x76, 0xBC, 0xD4, 0xA2, 0x7B, 0x1C, 0xD4, 0x06, 0xD2, 0x43, 0x1C, 0xF9}; + uint8_t sk2r3[] = {0x55, 0xC1, 0xD7, 0xA6, 0xED, 0x79, 0xA9, 0x44, 0xF6, 0x39, 0xA8, 0x0D, 0xA4, 0x86, 0x39, 0xF2}; + + LRPGenSubkeys(key3, sk1, sk2); + res = res && (memcmp(sk1, sk1r3, sizeof(sk1r3)) == 0); + res = res && (memcmp(sk2, sk2r3, sizeof(sk2r3)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP subkeys....... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP subkeys....... " _RED_("fail")); + + return res; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// 3.4 LRP CMAC +static bool TestLRPCMAC(void) { + bool res = true; + + LRPContext ctx = {0}; + uint8_t cmac[CRYPTO_AES128_KEY_SIZE] = {0}; + + uint8_t key1[] = {0x81, 0x95, 0x08, 0x8C, 0xE6, 0xC3, 0x93, 0x70, 0x8E, 0xBB, 0xE6, 0xC7, 0x91, 0x4E, 0xCB, 0x0B}; + LRPSetKey(&ctx, key1, 0, true); + uint8_t data1[] = {0xBB, 0xD5, 0xB8, 0x57, 0x72, 0xC7}; + LRPCMAC(&ctx, data1, sizeof(data1), cmac); + uint8_t cmacres1[] = {0xAD, 0x85, 0x95, 0xE0, 0xB4, 0x9C, 0x5C, 0x0D, 0xB1, 0x8E, 0x77, 0x35, 0x5F, 0x5A, 0xAF, 0xF6}; + res = res && (memcmp(cmac, cmacres1, sizeof(cmacres1)) == 0); + + uint8_t key2[] = {0x5A, 0xA9, 0xF6, 0xC6, 0xDE, 0x51, 0x38, 0x11, 0x3D, 0xF5, 0xD6, 0xB6, 0xC7, 0x7D, 0x5D, 0x52}; + LRPSetKey(&ctx, key2, 0, true); + uint8_t data2[] = {0xA4, 0x43, 0x4D, 0x74, 0x0C, 0x2C, 0xB6, 0x65, 0xFE, 0x53, 0x96, 0x95, 0x91, 0x89, 0x38, 0x3F}; + LRPCMAC(&ctx, data2, sizeof(data2), cmac); + uint8_t cmacres2[] = {0x8B, 0x43, 0xAD, 0xF7, 0x67, 0xE4, 0x6B, 0x69, 0x2E, 0x8F, 0x24, 0xE8, 0x37, 0xCB, 0x5E, 0xFC}; + res = res && (memcmp(cmac, cmacres2, sizeof(cmacres2)) == 0); + + uint8_t key3[] = {0x0D, 0x46, 0x55, 0x75, 0x50, 0xCB, 0x31, 0x3F, 0x36, 0xAF, 0xBA, 0x87, 0x62, 0x5D, 0x96, 0x1A}; + LRPSetKey(&ctx, key3, 0, true); + uint8_t data3[] = {0x90}; + LRPCMAC(&ctx, data3, sizeof(data3), cmac); + uint8_t cmacres3[] = {0xF7, 0xC8, 0x55, 0x3D, 0xED, 0x57, 0x48, 0x29, 0xE6, 0xEE, 0x68, 0x11, 0x2C, 0xB3, 0x81, 0x7B}; + res = res && (memcmp(cmac, cmacres3, sizeof(cmacres3)) == 0); + + uint8_t key4[] = {0x2A, 0x47, 0x3E, 0x38, 0xBB, 0xF4, 0x53, 0x7C, 0x53, 0x97, 0xF4, 0x5A, 0xE4, 0x98, 0xCD, 0x4D}; + LRPSetKey(&ctx, key4, 0, true); + uint8_t data4[] = {0xC2, 0xAC, 0x3D, 0x72, 0x50, 0xEE, 0xF0, 0x23, 0x18, 0xBC, 0x08, 0x4F, 0x29, 0x4B, 0x1A, 0xC7, + 0x22, 0x91, 0xEE, 0x1D, 0xC0, 0x2A, 0xF4, 0x24, 0x94, 0x1C, 0xAA, 0xC6, 0x85, 0xFC, 0xA5, 0x9D, + 0x90, 0x08, 0x67, 0x9B, 0x00, 0xC5, 0x6A, 0x05, 0x62, 0x58, 0x3B, 0xDA, 0xEC, 0x0B, 0xBA}; + LRPCMAC(&ctx, data4, sizeof(data4), cmac); + uint8_t cmacres4[] = {0x66, 0xDC, 0x2B, 0xCE, 0x26, 0x9B, 0x79, 0x3B, 0x4A, 0xCA, 0x1A, 0x4D, 0x04, 0xDD, 0xD6, 0x68}; + res = res && (memcmp(cmac, cmacres4, sizeof(cmacres4)) == 0); + + uint8_t key5[] = {0x63, 0xA0, 0x16, 0x9B, 0x4D, 0x9F, 0xE4, 0x2C, 0x72, 0xB2, 0x78, 0x4C, 0x80, 0x6E, 0xAC, 0x21}; + LRPSetKey(&ctx, key5, 0, true); + LRPCMAC(&ctx, NULL, 0, cmac); + uint8_t cmacres5[] = {0x0E, 0x07, 0xC6, 0x01, 0x97, 0x08, 0x14, 0xA4, 0x17, 0x6F, 0xDA, 0x63, 0x3C, 0x6F, 0xC3, 0xDE}; + res = res && (memcmp(cmac, cmacres5, sizeof(cmacres5)) == 0); + + uint8_t key6[] = {0x95, 0x2F, 0xDE, 0x83, 0x93, 0xC4, 0x5D, 0x23, 0x0A, 0x5B, 0xE9, 0xB3, 0x86, 0x36, 0xD1, 0x54}; + LRPSetKey(&ctx, key6, 0, true); + uint8_t data6[] = {0xD7, 0x80, 0x0E, 0x25, 0x70, 0x01, 0xA7, 0x74, 0xAE, 0x7B, 0xCF, 0xB2, 0xCE, 0x13, 0x07, 0xB5, + 0xB0, 0x44}; + LRPCMAC(&ctx, data6, sizeof(data6), cmac); + uint8_t cmacres6[] = {0x05, 0xF1, 0xCE, 0x30, 0x45, 0x1A, 0x03, 0xA6, 0xE4, 0x68, 0xB3, 0xA5, 0x90, 0x33, 0xA5, 0x54}; + res = res && (memcmp(cmac, cmacres6, sizeof(cmacres6)) == 0); + + if (res) + PrintAndLogEx(INFO, "LRP CMAC.......... " _GREEN_("passed")); + else + PrintAndLogEx(ERR, "LRP CMAC.......... " _RED_("fail")); + + return res; +} + bool DesfireTest(bool verbose) { bool res = true; @@ -492,6 +867,14 @@ bool DesfireTest(bool verbose) { res = res && TestEV2IVEncode(); res = res && TestEV2MAC(); res = res && TestTransSessionKeys(); + res = res && TestLRPPlaintexts(); + res = res && TestLRPUpdatedKeys(); + res = res && TestLRPEval(); + res = res && TestLRPIncCounter(); + res = res && TestLRPEncode(); + res = res && TestLRPDecode(); + res = res && TestLRPSubkeys(); + res = res && TestLRPCMAC(); PrintAndLogEx(INFO, "---------------------------"); if (res) diff --git a/client/src/mifare/lrpcrypto.c b/client/src/mifare/lrpcrypto.c new file mode 100644 index 000000000..113191162 --- /dev/null +++ b/client/src/mifare/lrpcrypto.c @@ -0,0 +1,267 @@ +/*- + * Copyright (C) 2021 Merlok + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + * $Id$ + * + * description here: Leakage Resilient Primitive (LRP) Specification, https://www.nxp.com/docs/en/application-note/AN12304.pdf + * + */ + +#include "lrpcrypto.h" + +#include +#include +#include +#include "ui.h" +#include "aes.h" +#include "commonutil.h" + +static uint8_t constAA[] = {0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa}; +static uint8_t const55[] = {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; +static uint8_t const00[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + +void LRPClearContext(LRPContext *ctx) { + memset(ctx->key, 0, CRYPTO_AES128_KEY_SIZE); + + ctx->useBitPadding = false; + ctx->plaintextsCount = 0; + memset(ctx->plaintexts, 0, LRP_MAX_PLAINTEXTS_SIZE * CRYPTO_AES128_KEY_SIZE); + ctx->updatedKeysCount = 0; + memset(ctx->updatedKeys, 0, LRP_MAX_UPDATED_KEYS_SIZE * CRYPTO_AES128_KEY_SIZE); + ctx->useUpdatedKeyNum = 0; +} + +void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding) { + LRPClearContext(ctx); + + memcpy(ctx->key, key, CRYPTO_AES128_KEY_SIZE); + + LRPGeneratePlaintexts(ctx, 16); + LRPGenerateUpdatedKeys(ctx, 4); + + ctx->useUpdatedKeyNum = updatedKeyNum; + ctx->useBitPadding = useBitPadding; + + memcpy(ctx->counter, const00, CRYPTO_AES128_KEY_SIZE); + ctx->counterLenNibbles = CRYPTO_AES128_KEY_SIZE; +} + +void LRPSetCounter(LRPContext *ctx, uint8_t *counter, size_t counterLenNibbles) { + memcpy(ctx->counter, counter, counterLenNibbles / 2); + ctx->counterLenNibbles = counterLenNibbles; +} + +void LRPSetKeyEx(LRPContext *ctx, uint8_t *key, uint8_t *counter, size_t counterLenNibbles, size_t updatedKeyNum, bool useBitPadding){ + LRPSetKey(ctx, key, updatedKeyNum, useBitPadding); + LRPSetCounter(ctx, counter, counterLenNibbles); +} + + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 1 +void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount) { + if (plaintextsCount > LRP_MAX_PLAINTEXTS_SIZE) + return; + + uint8_t h[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(h, ctx->key, CRYPTO_AES128_KEY_SIZE); + + for (int i = 0; i < plaintextsCount; i++) { + aes_encode(NULL, h, const55, h, CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, h, constAA, ctx->plaintexts[i], CRYPTO_AES128_KEY_SIZE); + } + + ctx->plaintextsCount = plaintextsCount; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 2 +void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount) { + if (updatedKeysCount > LRP_MAX_UPDATED_KEYS_SIZE) + return; + + uint8_t h[CRYPTO_AES128_KEY_SIZE] = {0}; + aes_encode(NULL, ctx->key, constAA, h, CRYPTO_AES128_KEY_SIZE); + + for (int i = 0; i < updatedKeysCount; i++) { + aes_encode(NULL, h, constAA, ctx->updatedKeys[i], CRYPTO_AES128_KEY_SIZE); + aes_encode(NULL, h, const55, h, CRYPTO_AES128_KEY_SIZE); + } + + ctx->updatedKeysCount = updatedKeysCount; +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 3 +void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y) { + uint8_t ry[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(ry, ctx->updatedKeys[ctx->useUpdatedKeyNum], CRYPTO_AES128_KEY_SIZE); + + for (int i = 0; i < ivlen; i++) { + uint8_t nk = (i % 2) ? iv[i / 2] & 0x0f : (iv[i / 2] >> 4) & 0x0f; + aes_encode(NULL, ry, ctx->plaintexts[nk], ry, CRYPTO_AES128_KEY_SIZE); + } + + if (final) + aes_encode(NULL, ry, const00, ry, CRYPTO_AES128_KEY_SIZE); + memcpy(y, ry, CRYPTO_AES128_KEY_SIZE); +} + +void LRPIncCounter(uint8_t *ctr, size_t ctrlen) { + bool carry = true; + for (int i = ctrlen - 1; i >= 0; i--) { + uint8_t nk = (i % 2) ? ctr[i / 2] & 0x0f : (ctr[i / 2] >> 4) & 0x0f; + + if (carry) + nk++; + + carry = (nk > 0xf); + if (i % 2) + ctr[i / 2] = (ctr[i / 2] & 0xf0) | (nk & 0x0f); + else + ctr[i / 2] = (ctr[i / 2] & 0x0f) | ((nk << 4) & 0xf0); + + if(!carry) + break; + } +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 4 +void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen) { + *resplen = 0; + + uint8_t xdata[1024] = {0}; + memcpy(xdata, data, datalen); + if (ctx->useBitPadding) { + xdata[datalen] = 0x80; + datalen++; + } + + if (datalen % CRYPTO_AES128_KEY_SIZE) + datalen = datalen + CRYPTO_AES128_KEY_SIZE - (datalen % CRYPTO_AES128_KEY_SIZE); + + if (datalen == 0) + return; + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + LRPEvalLRP(ctx, ctx->counter, ctx->counterLenNibbles, true, y); + aes_encode(NULL, y, &xdata[i * CRYPTO_AES128_KEY_SIZE], &resp[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); + *resplen += CRYPTO_AES128_KEY_SIZE; + LRPIncCounter(ctx->counter, ctx->counterLenNibbles); + } +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 5 +void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen) { + *resplen = 0; + if (datalen % CRYPTO_AES128_KEY_SIZE) + return; + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + LRPEvalLRP(ctx, ctx->counter, ctx->counterLenNibbles, true, y); + aes_decode(NULL, y, &data[i * CRYPTO_AES128_KEY_SIZE], &resp[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); + *resplen += CRYPTO_AES128_KEY_SIZE; + LRPIncCounter(ctx->counter, ctx->counterLenNibbles); + } + + // search padding + if (ctx->useBitPadding) { + for (int i = *resplen - 1; i >= *resplen - CRYPTO_AES128_KEY_SIZE; i--) { + if (resp[i] == 0x80) + *resplen = i; + if (resp[i] != 0x00) + break; + } + } +} + +static bool shiftLeftBe(uint8_t *data, size_t length) { + if (length == 0) + return false; + + bool carry = false; + for (int i = length - 1; i >= 0; i--) { + uint8_t val = data[i]; + val = (val << 1) | ((carry) ? 1 : 0); + carry = ((data[i] & 0x80) != 0); + data[i] = val; + } + return carry; +} + +// GF(2 ^ 128) +// poly x^128 + x ^ 7 + x ^ 2 + x + 1 +// bit: 1000..0010000111 == 0x1 00 00 .. 00 00 87 +static void mulPolyX(uint8_t *data) { + if (shiftLeftBe(data, 16)) + data[15] = data[15] ^ 0x87; +} + +void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2) { + LRPContext ctx = {0}; + LRPSetKey(&ctx, key, 0, true); + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + LRPEvalLRP(&ctx, const00, CRYPTO_AES128_KEY_SIZE * 2, true, y); + + mulPolyX(y); + memcpy(sk1, y, CRYPTO_AES128_KEY_SIZE); + + mulPolyX(y); + memcpy(sk2, y, CRYPTO_AES128_KEY_SIZE); +} + +// https://www.nxp.com/docs/en/application-note/AN12304.pdf +// Algorithm 6 +void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac) { + uint8_t sk1[CRYPTO_AES128_KEY_SIZE] = {0}; + uint8_t sk2[CRYPTO_AES128_KEY_SIZE] = {0}; + LRPGenSubkeys(ctx->key, sk1, sk2); + + uint8_t y[CRYPTO_AES128_KEY_SIZE] = {0}; + size_t clen = 0; + for (int i = 0; i < datalen / CRYPTO_AES128_KEY_SIZE; i++) { + if (datalen - clen <= CRYPTO_AES128_KEY_SIZE) + break; + + bin_xor(y, &data[i * CRYPTO_AES128_KEY_SIZE], CRYPTO_AES128_KEY_SIZE); + LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, y); + clen += CRYPTO_AES128_KEY_SIZE; + } + + size_t bllen = datalen - clen; + uint8_t bl[CRYPTO_AES128_KEY_SIZE] = {0}; + memcpy(bl, &data[clen], bllen); + + // last block + if (bllen == 16) { + bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); + + bin_xor(y, sk1, CRYPTO_AES128_KEY_SIZE); + } else { + // padding + bl[bllen] = 0x80; + bin_xor(y, bl, CRYPTO_AES128_KEY_SIZE); + + bin_xor(y, sk2, CRYPTO_AES128_KEY_SIZE); + } + + LRPEvalLRP(ctx, y, CRYPTO_AES128_KEY_SIZE * 2, true, cmac); +} diff --git a/client/src/mifare/lrpcrypto.h b/client/src/mifare/lrpcrypto.h new file mode 100644 index 000000000..19a811137 --- /dev/null +++ b/client/src/mifare/lrpcrypto.h @@ -0,0 +1,60 @@ +/*- + * Copyright (C) 2021 Merlok + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + * $Id$ + * + * description here: Leakage Resilient Primitive (LRP) Specification, https://www.nxp.com/docs/en/application-note/AN12304.pdf + * + */ + +#ifndef __LRPCRYPTO_H +#define __LRPCRYPTO_H + +#include "common.h" +#include "crypto/libpcrypto.h" + +#define LRP_MAX_PLAINTEXTS_SIZE 16 +#define LRP_MAX_UPDATED_KEYS_SIZE 4 +#define LRP_MAX_COUNTER_SIZE (CRYPTO_AES128_KEY_SIZE * 4) + +typedef struct { + uint8_t key[CRYPTO_AES128_KEY_SIZE]; + + bool useBitPadding; + size_t plaintextsCount; + uint8_t plaintexts[LRP_MAX_PLAINTEXTS_SIZE][CRYPTO_AES128_KEY_SIZE]; + size_t updatedKeysCount; + uint8_t updatedKeys[LRP_MAX_UPDATED_KEYS_SIZE][CRYPTO_AES128_KEY_SIZE]; + size_t useUpdatedKeyNum; + + uint8_t counter[LRP_MAX_COUNTER_SIZE]; + size_t counterLenNibbles; // len in bytes * 2 (or * 2 - 1) +} LRPContext; + +void LRPClearContext(LRPContext *ctx); +void LRPSetKey(LRPContext *ctx, uint8_t *key, size_t updatedKeyNum, bool useBitPadding); +void LRPSetKeyEx(LRPContext *ctx, uint8_t *key, uint8_t *counter, size_t counterLenNibbles, size_t updatedKeyNum, bool useBitPadding); +void LRPSetCounter(LRPContext *ctx, uint8_t *counter, size_t counterLenNibbles); +void LRPGeneratePlaintexts(LRPContext *ctx, size_t plaintextsCount); +void LRPGenerateUpdatedKeys(LRPContext *ctx, size_t updatedKeysCount); +void LRPEvalLRP(LRPContext *ctx, uint8_t *iv, size_t ivlen, bool final, uint8_t *y); +void LRPIncCounter(uint8_t *ctr, size_t ctrlen); +void LRPEncode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); +void LRPDecode(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); +void LRPGenSubkeys(uint8_t *key, uint8_t *sk1, uint8_t *sk2); +void LRPCMAC(LRPContext *ctx, uint8_t *data, size_t datalen, uint8_t *cmac); + +#endif // __LRPCRYPTO_H